Video Screencast Help
Security Response

Attack of the clones?

Created: 12 Sep 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:46:25 GMT
Kevin Savage's picture
0 0 Votes
Login to vote

The world of misleading applications (aka"rogue antispyware") never ceases to amaze with clever socialengineering and tricks to con and persuade users into parting withtheir hard-earned cash. We have recently noticed a sharp increase inthe number of these applications. One example we came across recentlythat is really contributing to the trend is called AVSystemCare.

This misleading application is unique in two ways:

- It uses a clever trick that makes it easy to generate an endless amount of clones that while looking and behaving
the same, are named differently.
- It offers localized versions in numerous languages.

AVSystemCare uses a clever trick to allow all of its clones to useidentical files, but yet have different names. Installing any of theseclones involves downloading a small file from the clone Web site. Whenthe user executes this file it will download the main applicationcomponents. All of the application files, including the filesdownloaded from the clone Web sites are identical (for clones of thesame language).

So, if these files are the same for every clone, then how does theinstaller know which name to use when installing the application? Theanswer lies in the user’s cookies. After you have visited the clone Website to download the application, several cookies are stored on yourcomputer. Visiting a couple of clone Web sites shows that these cookiesare very similar for each domain:

Click to view larger image

When the downloaded file is executed it parses the user’s cookies tofind ones with names ‘gli’, ‘gai’ and ‘gI’. Domains that have thesecookies will also have a randomly named cookie containing the cloneapplication name in the Content field:

Click to view larger image

The installer uses this name in the subsequent installation. Themost recent cookies that match will be used, so if you happen todownload clone A, and then visit the Web site of a clone B, then whenyou install the application it will be called clone B.

You might be wondering what happens if you clear your cookies priorto installing the application. If the installer cannot find the cookiesit is looking for, then it uses a default name. For English cloneversions this name is AVSystemCare. Our tests also showed that theAVSystemCare cookie engine successfully parses cookies for InternetExplorer and FireFox, but not Opera or Safari.

In case you’re not happy with the name of your AVSystemCare clone,you can simply edit your cookies before installing it to get the nameof your choice:


Click to view larger image

Click to view larger image

As well, the makers of AVSystemCare have not limited themselves toEnglish language clones; so far, we have seen clones in 11 differentlanguages – English, Portuguese, German, Danish, Spanish, Italian,French, Japanese, Dutch, Norwegian, and Swedish. At the moment thereare over 70 domains hosting clones of AVSystemCare in differentlanguages; for example avsystemcare, virenfrierpc, norwayvirus, etc.

As before, all of the clones for a given language are identicalexcept for the name, as shown in these Japanese and Norwegian clones:

Click to view larger image

Click to view larger image

The following video demonstrates the similarities between AVSystemCare and some of its clones:

As the AVSystemCare machine continues to pump out clone after clone, users need to be extra vigilant. Symantec’s new microsite on misleading applications offers some insight into these threats, how they attack and how to protect yourself against them.